LDAP+database - Credential duplication?
I'm trying to set up guacamole with LDAP authentication and would like to use postgresql as storage for the connection parameters. Looking at the provided database schema files for postgresql (001-create-schema.sql), the user information entered into the database requires a password. I'm wondering whether this means that the LDAP user credentials need to be duplicated and entered into the database? The guacamole manual however suggests that once a user is successfully authenticated using the credentials stored in LDAP, the guacamole database will trust this user and will use the information present in the database for this user ( https://guacamole.apache.org/doc/gug/ldap-auth.html): "Data can be manually associated with LDAP users by creating corresponding user accounts within the database which each have the same usernames as valid LDAP users. As long as the username is identical, a successful login attempt against LDAP will be trusted by the database authentication, and that user's associated data will be visible." Actually, I'd like to prevent storing password information in the database and only use the LDAP passwords for authentication. Is this supposed to work? May I just adjust the database schema and leave the password field empty? BTW: Thanks for providing this great product. I've used it to host workshops for up to 50 people, providing each of them access to a graphical desktop. It's working great. :-)
Re: LDAP+database - Credential duplication?
Hi Jonathan, thanks a lot for your offering! If you like to share the script you use to create the database entries, this would be useful for me. For the workshop use-case I indeed create all the accounts in LDAP with random passwords using a script, the SQL part of this is still missing though and I started with creating a user-mapping.xml for Guacamole instead. But in order to be more flexible, when it comes to the creation of additional users/sessions, the database approach seems more convenient. Thanks a lot and best regards Felix Am Donnerstag, den 10.05.2018, 22:19 + schrieb Jonathan Hankins: > Felix, > > There are some examples of generating the salt and hashing the > password correctly for postgres and mysql in the online docs, for > various programming languages. My use case is similar to yours > (postgres+LDAP.) I needed to create users via script with random > passwords in postgres, and I did it in shell script (bash) using the > openssl(1) to generate the random data, salts and do the hashes, some > bash as glue and psql to load the data in the database. It took me > some trial and error to translate what was in the docs online to work > in bash, and I'd be happy to share my script if it'd be useful to > you. > > -Jonathan Hankins > signature.asc Description: This is a digitally signed message part
Filetransfer - Transfer of directory trees
Currently, only single files can be transferred from the client to the server or vice versa. I'm just wondering whether there are plans to implement file transfer for complete directory trees, such that the additional step of creating an archive, downloading/uploading, unpacking on the remote side would not be required.
Re: Dynamic Session Creation
Hi Nick and others, I'm making some progress on the implementation of the dynamic session handling. Basically, the backend part is completed. As I wanted to be independent of the cloud provider and also wanted to allow the mechanism to work for on-premises installations, I use a resource management system common in the HPC world (SLURM) to organize the sessions on a cluster of session host instances, i.e., I can create a session request for a user (in fact it's a script describing how to startup the X-display, the window manager, etc. which is submitted to the queueing system and then gets executed on one of the session host instances). There is also a mechanism to add the session information (remote host, display port, VNC password, etc.) to the Guacamole database automatically once the session is ready to accept connections. For cloud setups, instances are automatically deployed, if there's not enough capacity on the already running instances. It works nicely so far. I'm now facing the challenge of triggering the backend mechanism from the web-app as well as reporting progress information from the backend to the client. I'd like to achieve the following: When a user logs in to Guacamole with valid credentials and there's no active session for this user, then the backend mechanism should be triggered and start the session creation and, if required, the creation of a new instance which can host the session. Although I can use an Guacamole event listener to trigger the backend process which creates the instance and the session for the user, the creation process can take 2-3 minutes before it arrives at the point where the session is ready to connect (because the instance needs some time to start up). The challenge is now to "inform" the user about what's going on in the backend during the time he/she waits for the desktop to appear, i.e., I'd like to just show a dialog box which displays the information it gets from the backend, like: Instance is created. Desktop is prepared. etc. I tried to wait in the event listener, which creates the session, until the session is ready, but this creates a horrible user experience, of course (web app is unresponsive during that time). I was looking in the Guacamole code and it seems that guacamole/src/main/webapp/app/client/controllers/clientController.js contains the status messages displayed during the connection setup and also the code for periodic re-connection if there is a backend issue (in my case: session is not yet ready). Maybe someone knowing the internals of Guacamole can enlighten me whether that's a promising place to implement the status messages and the communication with the backend. Thanks for any help! Am Mi., 30. Mai 2018 um 19:08 Uhr schrieb Nick Couchman : > On Sun, May 20, 2018 at 4:58 PM, Felix Wolfheimer > wrote: > >> Hi Nick, >> >> thanks for your answer. Yes, I was talking about VNC sessions on Linux. >> The scenario I have in mind is a cloud deployment with auto-scaling >> functionality: >> >> There's one instance where guacamole is installed. This instance is >> small, cheap, and runs 24/7. The applications used in the VNC sessions >> require decent 3D rendering performance and, thus, I want to host them >> on GPU instances. These instances are expensive and so I would like to >> only spin them up when there's demand for a session. I have a mechanism >> that can submit a script (which creates a VNC session) to a scheduling >> system (e.g. SLURM). This scheduling system is connected with an >> autoscaling mechanism, e.g., cfncluster, which starts session host >> instances if there's demand. The session starts on the new instance, >> and the session information is added to the guacamole_db. >> This is why I was thinking the it would be great to have a mechanism to >> trigger the submission of the session creation script to the scheduling >> system when a user logs in. As the start of an instance needs a moment, >> I would like to have some way to inform the user about what's going on >> in the background. >> > > > That makes sense. You should be able to do something like this in a > Guacamole extension - monitor the number of users connected to a particular > connection or connection group, and then trigger something every time > there's a connect or disconnect. I would imagine the most useful thing > would be event listeners: > > http://guacamole.apache.org/doc/gug/event-listeners.html > > If you trigger an action every time a connection is established or > terminated, you can scale it in such a way that you always have 1 or more > spare instances running (depending on how frequently and quickly you expect > users to connect), and that would do the trick. If you wanted to go even > leaner than that, you could trigger it at user l
Handling of simultaneous key-down and mouse-button events
I'm using an application on a remote desktop served by Guacamole 0.9.14 (Remote side: CentOS 7.5, MATE Desktop, TurboVNC 2.2, VirtualGL 2.6). The application uses the following workflow: If pressing the Spacebar (and holding it down) it shows an overlay on an OpenGL window it renders. This overlay has three buttons. Each button selects a different action for the 3D view (rotate, zoom, pan). So while the spacebar is pressed, I'm moving the mouse to this overlay, press the left mouse button to select the action, and then move the mouse (spacebar and left mouse button still pressed at the same time) to perform the action on the 3D view. While a normal TurboVNC+VirtualGL connection works for this workflow, the behavior gets weird when guacamole is on top of it. The overlay flickers once I start moving the mouse (mouse button and spacebar pressed) and the 3D view doesn't perform the expected action. I suppose that guacamole has some difficulty passing the events to the remote session. It seems like it sends a series of key-down and key-release events instead of a single key-down event at the start and a key-release event at the end (at least the behavior of the remote application looks like this). Has anyone seen such a behavior?
Re: Handling of simultaneous key-down and mouse-button events
Hi Mike, thanks for confirming that this is a kind of known behavior. Is there a way to tweak the auto-repeat timer in Guacamole? I suppose that setting it to a high value might give the behavior I'd need for the application although this might lead to unexpected behavior (?) for other applications. signature.asc Description: This is a digitally signed message part
Re: Handling of simultaneous key-down and mouse-button events
Hi Mike
thanks a lot for your input. I thought a bit about it and it seems that
the heuristics which makes sense here is:
Use the keyboard behavior as is if no mouse button is pressed.
If a mouse button is pressed, don't send repeated key events while the
mouse button is pressed.
Many CAD programs use combined key-down + mouse button-down + mouse
move events to navigate in their 3D views, so I think that this
behavior makes sense for at least this class of applications. I looked
at the Guacamole.Keyboard as well as Guacamole.Mouse implementations.
As I'm not a Javascript programmer I'm not completely sure whether I
understand all of this stuff correctly, but it seems to me that I might
get the described behavior by changing a function
in guacamole/src/main/webapp/app/client/directives/guacClient.js:
// Translate local keydown events to remote keydown events if keyboard
is enabled
$scope.$on('guacKeydown', function keydownListener(event, keysym,
keyboard) {
if ($scope.client.clientProperties.keyboardEnabled &&
!event.defaultPrevented &&
!($scope.client.mouse.currentState.left ||
$scope.client.mouse.currentState.middle ||
$scope.client.mouse.currentState.right))
{
client.sendKeyEvent(1, keysym);
event.preventDefault();
}
});
The additional "!($scope.client.mouse.currentState.left ||
$scope.client.mouse.currentState.middle ||
$scope.client.mouse.currentState.right)" should tell the client to not
send repeated key-down events if any mouse button is clicked. Does this
sound right?
signature.asc
Description: This is a digitally signed message part
Re: Handling of simultaneous key-down and mouse-button events
Hi Mike, found a perfect way to get what I want from Guacamole and just wanted to share what I did in case anyone runs into a similar issue. In guacamole-common-js/src/main/webapp/modules/Keyboard.js there's a list (no_repeat) of keys for which the key-down event is not repeatedly send to the server if a user presses the key and and holds it down. I just added the spacebar key to this list and rebuild the webapp. While the application on the remote side is now working as expected, the drawback is that something like a text box of a remote application also won't get multiple key-down events if the user holds down the space-bar, i.e., if someone wants to type multiple spaces in such a window he/she needs to press the spacebar for each space he/she wnats to type on the remote side. For me that's perfectly fine. :-) Thanks for your help, Mike! signature.asc Description: This is a digitally signed message part
